Intrusion Detection SystemsIntrusion Detection Systems

Elevated to theNext Level

22nd Chaos Communication Congress

Alien8 - Matthias Petermann

Agenda● Attacks and Intrusion Methods

● Why Intrusion Detection?

● IDS Technologies

● Basic Problems

● A hybrid IDS framework

● Remaining problems

● Basic correlation

● An advanced correlation approach

Attacks and Intrusion Methods (1)● Automatic attacks

– Worms / Viruses

– Trojan horses

– Makes lots of noise

● Manual attacks

– Difficult to find

– Cover, Concealment, Camouflage

Attacks and Intrusion Methods (2)● Methods

– Local attacks● Privilege Escalation● Buffer Overflows● Format String attacks● Race conditions ● ...

– Remote attacks● Buffer Overflows● Remote Discovery● Denial of Service● Trojans of all kinds (Bots)● ...

Real Life in someones network● Some have to live with:

– Crappy software

– 0day exploits

– Black boxes

– Lazy admins

– Non patch-able systems

– Trade offs

short real live environments

What's Intrusion Detection good for?

● Intrusion Detection Systems help to:

– Recognise damage and affected systems

– Evaluating incidents

– Trace back intrusions

– Forensic analysis

● It doesn't compensate for bad security!

Discover what is going on!

IDS Technologies

IDS

IDS Technologies

Host based(HIDS)

Network based(NIDS)

IDS

IDS Technologies

Host based(HIDS)

Network based(NIDS)

IDS

TrafficAnalyzer

Network based Technologies (1)● Traffic analyser (e.g. Snort)

– Pre-processors for:● Detecting portscans● Reassembling TCP-streams● Decoding RPC, HTTP, ...● Detecting viruses (ClamAV plugin)

– Signature based pattern matching engine:● Detecting traffic pattern● Detecting protocol violations (x-mas scan)

Snort Signature Rule Examples

Basic rule to match e. g. telnet connections:

alert tcp $EXTERNAL_NET any <> $HOME_NET 23 (msg:"Port23-TRAFFIC tcp port 23 traffic";flow:stateless; classtype:misc-activity; sid:523; rev:1;)

Basic rule to match NetBus backdoor activity:

alert tcp $HOME_NET 12345:12346 -> $EXTERNAL_NET any (msg:"BACKDOOR netbus active"; flow:from_server,established; content:"NetBus"; reference:arachnids,401; classtype:misc-activity; sid:109; rev:5;)

IDS Technologies

Host based(HIDS)

Network based(NIDS)

IDS

TrafficAnalyzer

TrafficAccounting

Network based Technologies (2)● Traffic Accounting (e. g. NetFlow)

– NetFlow is a standardised protocol

– Invented for accounting purposes

– Implementation:● Flow-probes and flow-collectors● Implemented in routers and switches● Implementation: fprobe, flow-tools

– Value for IDS:● Detection of anomalies in network utilisation

– Please don't tell Mr. Schäuble about it

NetFlow Components

IDS Technologies

Host based(HIDS)

Network based(NIDS)

IDS

TrafficAnalyzer

TrafficAccounting

Virtualhoneypots

Virtual honeypots/-nets

● Honeypot = dedicated system with traps

● No production purpose: access to a honeypot is always suspect!

● “real” honeypots costly to deploy

● -> virtual honeypots (e.g. Honeyd)

– Emulates whole network topology (routers, switches)

– Emulates hosts with identity of choice (nmap based)

– Scriptable “fake”-services

– Supports forwarding to real services

● Supplement to qualify IDS events

IDS Technologies

Host based(HIDS)

Network based(NIDS)

IDS

TrafficAnalyzer

TrafficAccounting

Virtualhoneypots

IDS Technologies

Host based(HIDS)

Network based(NIDS)

IDS

TrafficAnalyzer

TrafficAccounting

SyslogVirtualhoneypots

Host based Technologies (1)● Syslog

– Centralised logging facility for almost everything

– Analyzing log files tells you about:● Failed / successful logins● Access to services such as web- or mail servers● Firewall (accepted / blocked packets)● Creation of new users● Hardware events● Mounts● ...

– Hard to wipe out logs if logged to external system

– Tools for analysis: logcheck

IDS Technologies

Host based(HIDS)

Network based(NIDS)

IDS

TrafficAnalyzer

TrafficAccounting

Syslog File-Finger-printing

SystraceVirtualhoneypots

SystemIntegrityChecks

Host based Technologies (2)● File-Fingerprinting

– Calculates and checks cryptographic hashes of files

– Detect changed files

– Additional features (e.g. by Samhain):● Detect changed file access rights and time● Creation of new files● owner/group changes● Deletion of files / log files● Detect kernel rootkits on Linux and FreeBSD

– Value for IDS: Detect manipulation of files, Remember: Everything is a file

IDS Technologies

Host based(HIDS)

Network based(NIDS)

IDS

TrafficAnalyzer

TrafficAccounting Syslog

File-Finger-printing Systrace

Virtualhoneypots

SystemIntegrityChecks

Host based Technologies (3)● System integrity checks

– Chkrootkit● Looks for traces of known root kits

– Tiger● Listening processes● Package database checks

– Unknown files

– Vulnerability checks

– Historical performance data● Look for anomalies

diversity of tools

IDS Technologies

Host based(HIDS)

Network based(NIDS)

IDS

TrafficAnalyzer

TrafficAccounting Syslog

File-Finger-printing Systrace

Virtualhoneypots

SystemIntegrityChecks

Host based Technologies (4)● Systrace

– Security layer for syscalls

– Can be enabled for selected processes

– Requested syscall has to match policy

– Policy manager processes syscall requests

– Denied syscalls will be logged

– Implementations● Natively included in OpenBSD and NetBSD● Kernel patches for Linux and FreeBSD

● RBAC (Role based access control)

– grsec, rsbac

Current Problems● IDS implementations not designed to co-operate

● Different storage formats for IDS events

– Snort: MySQL, flat-files, binary files...

– NetFlow: sending UDP packets to collector

– Syslog: flat files or syslog server

– Samhain: MySQL, Yule, Flat-File

– Honeyd: flat file

● Distributed data storage

● No common / comprehensive analysis tools (one to do it all)

Requirements for the Ideal System (TM)

● Standardised storage format

● Centralised data storage

● Common analysis tool

The Intrusion Detection Message Exchange Format (IDMEF)

● Problem: Sensors provide different data

– NIDS: IP-addresses, TCP-flags, payload

– HIDS: file-names, access-rights

● How to store this in a general format?

– IDMEF is an object oriented format

– Reference implementation in XML

● Yet another file format?

– No! IDMEF is an IETF Internet Draft

– Undergoes evaluation to become RFC

one format to store 'em all!

IDMEF Example<IDMEF-Message> <Alert messageid="5086374041697">

... <CreateTime ntpstamp="0xc739ad2d.0xa4069000"> 2005-12-01T18:11:09.640725+01:00</CreateTime> ... <Source spoofed="unknown"> <Node category="unknown"> <Address category="unknown"> <address>172.20.203.12</address> </Address> </Node> ... </Source> ... </Alert></IDMEF-Message>

LibPreludeDB

LibPrelude

LibPrelude

LibPrelude

The Prelude-IDS Framework (1)

Prelude-Manager

SensorSensor(Snort)

SensorSensor(Samhain)

SensorSensor(LML)

.

.

.

IDMEF/TLS

IDMEF/TLS

IDMEF/TLS

LibPreludeDB

PreWikka IDS ConsoleLocal cache

The Prelude-IDS Framework (2)● Already Prelude-enabled sensors:

– Snort

– Samhain

● Others:

– Use Prelude-LML!

– log file analyser (PCRE, map to IDMEF)

● Special cases:

– Client-API in C, Python and Perl

Remaining problems...● Distributed IDS sensors will report many events

– Multiple sensors distributed all over

– Different sensor technologies

● Human admin unable to investigate every single event

● Single events don't give a reliable shape of an incident

To many events

Basic correlation principle● Events in a defined time window

● Define rule that matches timely appearance of events that could belong together

● Conjunction of events by AND

Problem: sharp rules● Sharp rules too exact for dynamic behaviour

● One failure in rule -> wrong conclusion

● “Binary” conclusions are insufficient

● Not the way one will investigate what has happened

Short Fuzzy Set Intro● Extension to classic sets

● Fuzzy [set|logic|control]

● Membership function

1

temperature

cold warm

23°5° 18°

More Membership Functions

Applying Fuzzy Sets to IDSs● Formulate a “Fuzzy-rule”, containing:

– Events

– Membership function w/ parameters

– Limits, repetition function

● Evaluate the “Fuzzy-rule”

– Search for matching events

– Calculate grade of membership

● Correlation:

– Membership grade -> probability values

– Result: application of combination theory -> multiplication of membership grades

Simple Example: A basic Worm Attack● File Changed

● Buffer Overflow

● ICMP Ping

µE4(t4)=1.0

µE3(t3)=0.9

µE2(t2)=0.8

Likelihood of the incident:

µ = µE4(t4) * µE3(t3) * µE2(t2)µ = 1.0 * 0.9 * 0.8µ = 0.72

Fuzzy IDS Evaluation● Fuzzy rules help to improve correlation results

– wider rule definitions -> wider range of results

– sharper rule definitions -> more precise results

● Adjustable parameters

– Stretch or compress membership functions

– Rate quantity of events

● Implementation

– Rule-based evaluation/correlation module for Prelude-IDS

– Statistic analysis of intrusion attempts / report generation

– Instant Messaging, level of escalation

Conclusion● Use all the data sources you can get

● Use clever methods to summarise, correlate and evaluate the data

● Look at the reports